Help Center/ Cloud Firewall/ User Guide/ Access Control/ Access Control Policy Overview
Updated on 2025-07-23 GMT+08:00

Access Control Policy Overview

CFW allows all traffic by default. If no access control policies are configured, all the communication between internal servers and the Internet will be allowed. Unauthorized access or the lateral threat movement will go unchecked. You can configure access control policies in CFW to allow or block specific traffic and implement multi-dimensional protection.

Access Control Policy Types

Access control policies include protection rules, the blacklist, and the whitelist. Table 1 describes their differences. If traffic hits a policy, the action specified in the policy will be performed.

Table 1 Differences between protection rules and blacklist/whitelist

Type

Protected Object

Network Type

Action

Configuration Method

Protection rules

  • 5-tuples
  • IP address groups
  • Geographical locations
  • Domain names and domain name groups
  • EIP
  • Private IP address
  • If Block is selected, traffic will be blocked.
  • If Allow is selected, traffic will be allowed by protection rules and then checked by IPS.

Configuring Protection Rules to Block or Allow Internet Border Traffic

Blacklist

  • 5-tuples
  • IP address groups

Traffic is blocked directly.

Adding Blacklist or Whitelist Items to Block or Allow Traffic

Whitelist

Traffic is allowed by CFW and not checked by other functions.

Priority of Access Control Policies

The priorities of CFW access control policies in descending order are as follows: Whitelist > Blacklist > Protection policy (ACL).
Figure 1 Protection priority

For details about the protection sequence of all CFW policies, see What Are the Priorities of the Protection Settings in CFW?

Specification Limitations

To enable VPC border protection and NAT protection, use the CFW professional edition and enable the VPC border firewall.

Precautions for Configuring a Blocking Policy

The precautions for configuring a protection rule or a blacklist item for blocking IP addresses are as follows:

  1. You are advised to preferentially configure specific IP addresses (for example, 192.168.10.5) to reduce network segment configurations and avoid improper blocking.
  2. Exercise caution when configuring protection rules to block reverse proxy IP addresses, such as the WAF back-to-source IP addresses. You are advised to configure protection rules or whitelist to permit reverse proxy IP addresses.
  3. Blocking forward proxy IP addresses (such as company egress IP addresses) can have a large impact. Exercise caution when configuring protection rules to block forward proxy IP addresses.
  4. When configuring region protection, take possible EIP changes into consideration.

Elements in a Protection Rule

Protection rules can identify and match different traffic elements to allow or block related traffic.

Element

Description

Configuration Type

Configuration Supported By Different Rules

Source

The party that initiates a connection.

  • IP address: Access control is performed on the traffic from a specific IP address.
  • IP address group: Access control is performed on the traffic from a series of IP addresses.
  • Region: Access control is performed on the traffic from the IP addresses in a specific region.
  • Any: any source address
  • Internet border:
    • Inbound: IP address, IP address group, region, and Any
    • Outbound: IP address, IP address group, and Any
  • NAT gateway:
    • Inbound: IP address, IP address group, region, and Any
    • Outbound: IP address, IP address group, and Any
  • VPC border rule: IP address, IP address group, and Any

Destination

The party that receives a connection.

  • IP address: Access control is performed on the traffic sent to a specific IP address.
  • IP address group: Access control is performed on the traffic sent to a series of IP addresses.
  • Region: Access control is performed on the traffic sent to the IP addresses in a specific region.
  • Domain name or domain name group: Access control is performed on the traffic sent to specific domain name addresses.

    To set the destination to a domain name or domain name group in a protection rule, choose from the following domain name types:

    • Application: HTTP, HTTPS, TLS, SMTPS, or POPS. CFW preferentially controls the access to domain names based on the Host or SNI field.
    • Network: CFW performs DNS resolution to obtain the IP address of a domain name and controls access to the IP address.
  • Any: any destination address
  • Internet border:
    • Inbound: IP address, IP address group, and Any
    • Outbound: IP address, IP address group, region, domain name, domain name group, and Any
  • NAT gateway:
    • Inbound: IP address, IP address group, and Any
    • Outbound: IP address, IP address group, region, domain name, domain name group, and Any
  • VPC border rule: IP address, IP address group, domain name, domain name group, and Any

Service

Traffic protocol type or port number

Service and service group: A service or a set of services. You can specify the protocol type, source port, and destination port to identify a service.

The ICMP protocol does not support port configuration.

Service: Set Protocol Type, Source Port, and Destination Port.

  • Protocol: Transport layer protocol. It can be TCP, UDP, or ICMP.
  • Source port: Access is controlled based on traffic source ports.
  • Destination port: Access is controlled based on traffic destination ports.

Service Group. A set of services.

Any: Select Any if you are not sure about the protocol type.

Application

Application layer protocol

The application layer protocol can be HTTP, HTTPS, SMTP, SMTPS, SSL, or POP3.

If you are not sure about the protocol type, select Any.

It varies according to the selected protocol type.

Example configuration:

Parameter

Input

Description

Source/Destination

0.0.0.0/0

All IP addresses

Domain name

www.example.com

Domain name www.example.com

*.example.com

All domain names ending with example.com, for example, test.example.com

Service - Source port or destination port

1-65535

All ports

80-443

All ports in the range 80 to 443

  • 80
  • 443

Ports 80 and 443

References